Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.0544
IBM has announced a release for IBM Security Identity Governance and
Intelligence in response to multiple security vulnerabilities
21 February 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Identity Governance and Intelligence
Publisher: IBM
Operating System: Network Appliance
Impact/Access: Root Compromise -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-1000199 CVE-2018-10915 CVE-2018-8897
CVE-2018-7489 CVE-2018-5968 CVE-2018-5740
CVE-2018-3693 CVE-2018-3646 CVE-2018-3620
CVE-2018-1950 CVE-2018-1949 CVE-2018-1948
CVE-2018-1947 CVE-2018-1946 CVE-2018-1945
CVE-2018-1944 CVE-2018-1272 CVE-2018-1271
CVE-2018-1270 CVE-2018-1091 CVE-2018-1087
CVE-2018-1068 CVE-2018-0125 CVE-2018-0124
CVE-2017-17485 CVE-2017-16939 CVE-2017-15095
CVE-2017-7957 CVE-2017-7525 CVE-2016-1000031
CVE-2016-9878 CVE-2016-9739 CVE-2016-6810
CVE-2016-3674 CVE-2016-3092 CVE-2016-3088
CVE-2016-0782 CVE-2016-0734 CVE-2016-0357
CVE-2016-0340 CVE-2016-0339 CVE-2016-0338
CVE-2016-0330 CVE-2015-6524 CVE-2015-5254
CVE-2015-5237 CVE-2015-5184 CVE-2015-5183
CVE-2015-5182 CVE-2015-1830 CVE-2014-8110
CVE-2014-3612 CVE-2014-3600 CVE-2014-3596
CVE-2014-3576 CVE-2014-1904 CVE-2014-0114
CVE-2014-0054 CVE-2014-0050 CVE-2013-7315
CVE-2013-7285 CVE-2013-6429 CVE-2013-4517
CVE-2013-4152 CVE-2013-3060 CVE-2013-2186
CVE-2013-2172 CVE-2013-1880 CVE-2013-1879
CVE-2013-0248 CVE-2012-6551 CVE-2012-6092
CVE-2012-5784 CVE-2011-4905 CVE-2011-2730
CVE-2010-1622
Reference: ASB-2019.0046
ASB-2019.0029
ASB-2019.0002
ESB-2019.0290
ESB-2019.0253.3
ESB-2019.0251
ESB-2019.0237
ESB-2019.0148
ESB-2019.0131
ESB-2019.0063
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10872142
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM has announced a release for IBM Security Identity
Governance and Intelligence in response to multiple security vulnerabilities
Security Bulletin
Summary
IBM has announced a release for IBM Security Identity Governance and
Intelligence (IGI) in response to multiple security vulnerabilities. There are
multiple vulnerabilities fixes to open source libraries distributed with IGI,
other less secure algorithms for crypto, xss attacks and click jacking
attacks.
Vulnerability Details
CVEID: CVE-2018-0124
DESCRIPTION: Cisco Unified Communications Domain Manager could allow a remote
attacker to execute arbitrary code on the system, caused by insecure key
generation during application configuration. By sending arbitrary requests
using the insecure key, an attacker could exploit this vulnerability to bypass
security protections, gain elevated privileges and execute arbitrary code on
the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/139282 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-0125
DESCRIPTION: Cisco RV132W ADSL2+ Wireless-N VPN and RV134W VDSL2 Wireless-AC
VPN Routers could allow a remote attacker to execute arbitrary code on the
system, caused by an incomplete input validation on user-controlled input in
an HTTP request in the Web interface. By sending a specially crafted HTTP
request, an attacker could exploit this vulnerability to execute arbitrary
code with root privileges or cause the device to reload.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/138770 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2015-5237
DESCRIPTION: Google Protocol Buffers could allow a remote attacker to execute
arbitrary code on the system, caused by an integer overflow in
MessageLite::SerializeToString. A remote attacker could exploit this
vulnerability to execute arbitrary code on the vulnerable system or cause a
denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/105989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID: CVE-2013-4517
DESCRIPTION: Apache Santuario XML Security for Java is vulnerable to a denial
of service, caused by an out of memory error when allowing Document Type
Definitions (DTDs). A remote attacker could exploit this vulnerability via XML
Signature transforms to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/89891 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3596
DESCRIPTION: Apache Axis and Axis2 could allow a remote attacker to conduct
spoofing attacks, caused by and incomplete fix related to the failure to
verify that the server hostname matches a domain name in the subject''s Common
Name (CN) field of the X.509 certificate. By persuading a victim to visit a
Web site containing a specially-crafted certificate, an attacker could exploit
this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/95377 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2012-5784
DESCRIPTION: Apache Axis 1.4, as used in multiple products, could allow a
remote attacker to conduct spoofing attacks, caused by the failure to verify
that the server hostname matches a domain name in the subject''s Common Name
(CN) field of the X.509 certificate. An attacker could exploit this
vulnerability using man-in-the-middle techniques to spoof an SSL server and
launch further attacks against a vulnerable target.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/79829 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-2186
DESCRIPTION: Apache commons-fileupload could allow a remote attacker to
overwrite arbitrary files on the system, caused by a NULL byte in the
implementation of the DiskFileItem class. By sending a serialized instance of
the DiskFileItem class, an attacker could exploit this vulnerability to write
or overwrite arbitrary files on the system.
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/88133 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CVEID: CVE-2016-3092
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an
error in the Apache Commons FileUpload component. By sending file upload
requests, an attacker could exploit this vulnerability to cause the server to
become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-1000031
DESCRIPTION: Apache Commons FileUpload, as used in Novell NetIQ Sentinel and
other products, could allow a remote attacker to execute arbitrary code on the
system, caused by deserialization of untrusted data in DiskFileItem class of
the FileUpload library. A remote attacker could exploit this vulnerability to
execute arbitrary code under the context of the current process.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/117957 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2014-0050
DESCRIPTION: Apache Commons FileUpload, as used in Apache Tomcat, Solr, and
other products is vulnerable to a denial of service, caused by the improper
handling of Content-Type HTTP header for multipart requests by
MultipartStream.java. An attacker could exploit this vulnerability using a
specially crafted Content-Type header to cause the application to enter into
an infinite loop.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/90987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-4517
DESCRIPTION: Apache Santuario XML Security for Java is vulnerable to a denial
of service, caused by an out of memory error when allowing Document Type
Definitions (DTDs). A remote attacker could exploit this vulnerability via XML
Signature transforms to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/89891 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-2172
DESCRIPTION: Apache Santuario XML Security for Java could allow a remote
attacker to conduct spoofing attacks, caused by the failure to restrict
canonicalization algorithms to be applied to the CanonicalizationMethod
parameter. An attacker could exploit this vulnerability to spoof the XML
signature.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/85323 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2016-3092
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an
error in the Apache Commons FileUpload component. By sending file upload
requests, an attacker could exploit this vulnerability to cause the server to
become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-1000031
DESCRIPTION: Apache Commons FileUpload, as used in Novell NetIQ Sentinel and
other products, could allow a remote attacker to execute arbitrary code on the
system, caused by deserialization of untrusted data in DiskFileItem class of
the FileUpload library. A remote attacker could exploit this vulnerability to
execute arbitrary code under the context of the current process.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/117957 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2014-0050
DESCRIPTION: Apache Commons FileUpload, as used in Apache Tomcat, Solr, and
other products is vulnerable to a denial of service, caused by the improper
handling of Content-Type HTTP header for multipart requests by
MultipartStream.java. An attacker could exploit this vulnerability using a
specially crafted Content-Type header to cause the application to enter into
an infinite loop.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/90987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-0248
DESCRIPTION: Apache Commons FileUpload could allow a local attacker to launch
a symlink attack. Temporary files are created insecurely. A local attacker
could exploit this vulnerability by creating a symbolic link from a temporary
file to various files on the system, which could allow the attacker to
overwrite arbitrary files on the system with elevated privileges.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/82618 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P)
CVEID: CVE-2016-3092
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an
error in the Apache Commons FileUpload component. By sending file upload
requests, an attacker could exploit this vulnerability to cause the server to
become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-1000031
DESCRIPTION: Apache Commons FileUpload, as used in Novell NetIQ Sentinel and
other products, could allow a remote attacker to execute arbitrary code on the
system, caused by deserialization of untrusted data in DiskFileItem class of
the FileUpload library. A remote attacker could exploit this vulnerability to
execute arbitrary code under the context of the current process.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/117957 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2014-0050
DESCRIPTION: Apache Commons FileUpload, as used in Apache Tomcat, Solr, and
other products is vulnerable to a denial of service, caused by the improper
handling of Content-Type HTTP header for multipart requests by
MultipartStream.java. An attacker could exploit this vulnerability using a
specially crafted Content-Type header to cause the application to enter into
an infinite loop.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/90987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-0248
DESCRIPTION: Apache Commons FileUpload could allow a local attacker to launch
a symlink attack. Temporary files are created insecurely. A local attacker
could exploit this vulnerability by creating a symbolic link from a temporary
file to various files on the system, which could allow the attacker to
overwrite arbitrary files on the system with elevated privileges.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/82618 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P)
CVEID: CVE-2016-3092
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an
error in the Apache Commons FileUpload component. By sending file upload
requests, an attacker could exploit this vulnerability to cause the server to
become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-1000031
DESCRIPTION: Apache Commons FileUpload, as used in Novell NetIQ Sentinel and
other products, could allow a remote attacker to execute arbitrary code on the
system, caused by deserialization of untrusted data in DiskFileItem class of
the FileUpload library. A remote attacker could exploit this vulnerability to
execute arbitrary code under the context of the current process.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/117957 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2014-0050
DESCRIPTION: Apache Commons FileUpload, as used in Apache Tomcat, Solr, and
other products is vulnerable to a denial of service, caused by the improper
handling of Content-Type HTTP header for multipart requests by
MultipartStream.java. An attacker could exploit this vulnerability using a
specially crafted Content-Type header to cause the application to enter into
an infinite loop.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/90987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-0248
DESCRIPTION: Apache Commons FileUpload could allow a local attacker to launch
a symlink attack. Temporary files are created insecurely. A local attacker
could exploit this vulnerability by creating a symbolic link from a temporary
file to various files on the system, which could allow the attacker to
overwrite arbitrary files on the system with elevated privileges.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/82618 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P)
CVEID: CVE-2014-0054
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to obtain
sensitive information, caused by an XML External Entity Injection (XXE) error
in Jaxb2RootElementHttpMessageConverter when processing XML data. By sending
specially-crafted XML data, an attacker could exploit this vulnerability to
read arbitrary files and obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/91841 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-7315
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to obtain
sensitive information, caused by an XML External Entity Injection (XXE) error
when processing XML data. By sending a specially-crafted request, an attacker
could exploit this vulnerability to read arbitrary files and obtain sensitive
information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/95219 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-6429
DESCRIPTION: Spring Framework could allow a remote attacker to obtain
sensitive information, caused by an error when parsing XML entities. By
persuading a victim to open a specially-crafted XML document containing
external entity references, an attacker could exploit this vulnerability to
obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/90451 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-4152
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to obtain
sensitive information, caused by an XML External Entity Injection (XXE) error
when processing XML data. By sending a specially-crafted request, an attacker
could exploit this vulnerability to read arbitrary files and obtain sensitive
information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/86589 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2011-2730
DESCRIPTION: Spring Framework could allow a remote attacker to obtain
sensitive information, caused by an error when handling the Expression
Language. An attacker could exploit this vulnerability to obtain classpaths
and other sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/69688 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2010-1622
DESCRIPTION: Spring Framework could allow a remote attacker to execute
arbitrary code on the system, caused by an error in the mechanism to use
client provided data to update the properties of an object. An attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/59573 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2018-1272
DESCRIPTION: Pivotal Spring Framework could allow a remote authenticated
attacker to gain elevated privileges on the system, caused by improper input
validation. By sending a specially-crafted request, an attacker could exploit
this vulnerability to gain elevated privileges.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/141286 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-1271
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to
traverse directories on the system, caused by improper validation of user
request. An attacker could send a specially-crafted URL request containing
"dot dot" sequences (/../) to configure Spring MVC to serve static resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/141285 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2018-1270
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to execute
arbitrary code on the system, caused by the exposure of STOMP over WebSocket
endpoints with a STOMP broker through the spring-messaging module. By sending
a specially-crafted message, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/141284 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-9878
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to
traverse directories on the system, caused by the failure to sanitize paths
provided to ResourceServlet. An attacker could send a specially-crafted URL
request containing directory traversal sequences to view arbitrary files on
the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/120241 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2014-1904
DESCRIPTION: Spring MVC is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by the FormTag.java script. A
remote attacker could exploit this vulnerability using a specially-crafted URL
to execute script in a victim''s Web browser within the security context of
the hosting Web site, once the URL is clicked. An attacker could use this
vulnerability to steal the victim''s cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/91890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-3596
DESCRIPTION: Apache Axis and Axis2 could allow a remote attacker to conduct
spoofing attacks, caused by and incomplete fix related to the failure to
verify that the server hostname matches a domain name in the subject''s Common
Name (CN) field of the X.509 certificate. By persuading a victim to visit a
Web site containing a specially-crafted certificate, an attacker could exploit
this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/95377 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2012-5784
DESCRIPTION: Apache Axis 1.4, as used in multiple products, could allow a
remote attacker to conduct spoofing attacks, caused by the failure to verify
that the server hostname matches a domain name in the subject''s Common Name
(CN) field of the X.509 certificate. An attacker could exploit this
vulnerability using man-in-the-middle techniques to spoof an SSL server and
launch further attacks against a vulnerable target.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/79829 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-3060
DESCRIPTION: Apache ActiveMQ is vulnerable to a denial of service, caused by
the failure to require authentication, by the Web console. By sending
specially-crafted HTTP requests, an attacker could exploit this vulnerability
to obtain sensitive information or cause a denial of service.
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/83719 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVEID: CVE-2013-1880
DESCRIPTION: Apache ActiveMQ is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by the demo/portfolioPublish
script. A remote attacker could exploit this vulnerability using the refresh
parameter in a specially-crafted URL to execute script in a victim''s Web
browser within the security context of the hosting Web site, once the URL is
clicked. An attacker could use this vulnerability to steal the victim''s
cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/103075 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-1879
DESCRIPTION: Apache ActiveMQ is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input when handling cron jobs. A remote
attacker could exploit this vulnerability using specific parameters to inject
malicious script into a Web page which would be executed in a victim''s Web
browser within the security context of the hosting Web site, once the page is
viewed. An attacker could use this vulnerability to steal the victim''s
cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/85586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2012-6551
DESCRIPTION: Apache ActiveMQ is vulnerable to a denial of service, caused by
the enablement of a sample web application by the default configuration. By
sending specially-crafted HTTP requests, an attacker could exploit this
vulnerability to consume broker resources and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/83718 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2012-6092
DESCRIPTION: Apache ActiveMQ is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by multiple vectors. A remote
attacker could exploit this vulnerability using various parameters in a
specially-crafted URL to execute script in a victim''s Web browser within the
security context of the hosting Web site, once the URL is clicked. An attacker
could use this vulnerability to steal the victim''s cookie-based
authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/83720 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2012-5784
DESCRIPTION: Apache Axis 1.4, as used in multiple products, could allow a
remote attacker to conduct spoofing attacks, caused by the failure to verify
that the server hostname matches a domain name in the subject''s Common Name
(CN) field of the X.509 certificate. An attacker could exploit this
vulnerability using man-in-the-middle techniques to spoof an SSL server and
launch further attacks against a vulnerable target.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/79829 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2011-4905
DESCRIPTION: Apache ActiveMQ is vulnerable to a denial of service, caused by
an error in the failover mechanism when handling an openwire connection
request. By sending a specially-crafted request, a remote attacker could
exploit this vulnerability to cause the broker service to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/71620 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-1830
DESCRIPTION: Apache ActiveMQ could allow a remote attacker to traverse
directories on the system, caused by an error in the fileserver upload/
download functionality. By placing a jsp file in the admin console, an
attacker could exploit this vulnerability to execute arbitrary shell commands
on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/105644 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2014-8110
DESCRIPTION: Apache ActiveMQ is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input. A remote attacker could exploit
this vulnerability using a specially-crafted URL to execute script in a
victim''s Web browser within the security context of the hosting Web site,
once the URL is clicked. An attacker could use this vulnerability to steal the
victim''s cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/100724 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-3612
DESCRIPTION: Apache ActiveMQ could allow a remote authenticated attacker to
bypass security restrictions, caused by an error in the LDAPLoginModule
implementation. By sending an empty password, an attacker could exploit this
vulnerability to bypass the authentication mechanism of an application using
LDAPLoginModule and assume the role of another user.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/100723 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-3600
DESCRIPTION: Apache ActiveMQ could allow a remote attacker to obtain sensitive
information, caused by an XML External Entity Injection (XXE) error when
processing XML data. By sending specially-crafted XML data to specify an XPath
based selector, an attacker could exploit this vulnerability to obtain
sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/100722 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-3576
DESCRIPTION: Apache ActiveMQ is vulnerable to a denial of service, caused by
an error in the processControlCommand function in broker/
TransportConnection.java. A remote attacker could use the shutdown command to
shutdown the service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/107290 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2015-6524
DESCRIPTION: Apache ActiveMQ is vulnerable to a brute force attack, caused by
an error in the LDAPLoginModule implementation. An attacker could exploit this
vulnerability using the wildcard in usernames to obtain user credentials.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/106187 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2015-5254
DESCRIPTION: Apache ActiveMQ could allow a remote attacker to execute
arbitrary code on the system, caused by the failure to restrict the classes
that can be serialized in the broker. An attacker could exploit this
vulnerability using a specially crafted serialized Java Message Service (JMS)
ObjectMessage object to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/109632 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-5184
DESCRIPTION: Red Hat JBoss A-MQ could allow a remote attacker to obtain
sensitive information, caused by the Access-Control-Allow-Origin header
permits unrestricted sharing in Hawtio console. By sending a specially-crafted
request, a remote attacker could exploit this vulnerability to obtain
sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/132635 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2015-5183
DESCRIPTION: Red Hat JBoss A-MQ could allow a remote attacker to obtain
sensitive information, caused by no HTTPOnly or Secure attributes on cookies
configured in Hawtio console. By sending a specially-crafted request, a remote
attacker could exploit this vulnerability to obtain an authenticated user''s
SessionID.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/132634 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2015-5182
DESCRIPTION: Red Hat JBoss A-MQ is vulnerable to cross-site request forgery,
caused by improper validation of user-supplied input by the jolokia API. By
persuading an authenticated user to visit a malicious Web site, a remote
attacker could send a malformed HTTP request to perform unauthorized actions.
An attacker could exploit this vulnerability to perform cross-site scripting
attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/132633 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2015-6524
DESCRIPTION: Apache ActiveMQ is vulnerable to a brute force attack, caused by
an error in the LDAPLoginModule implementation. An attacker could exploit this
vulnerability using the wildcard in usernames to obtain user credentials.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/106187 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2015-5254
DESCRIPTION: Apache ActiveMQ could allow a remote attacker to execute
arbitrary code on the system, caused by the failure to restrict the classes
that can be serialized in the broker. An attacker could exploit this
vulnerability using a specially crafted serialized Java Message Service (JMS)
ObjectMessage object to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/109632 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2015-5184
DESCRIPTION: Red Hat JBoss A-MQ could allow a remote attacker to obtain
sensitive information, caused by the Access-Control-Allow-Origin header
permits unrestricted sharing in Hawtio console. By sending a specially-crafted
request, a remote attacker could exploit this vulnerability to obtain
sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/132635 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2015-5183
DESCRIPTION: Red Hat JBoss A-MQ could allow a remote attacker to obtain
sensitive information, caused by no HTTPOnly or Secure attributes on cookies
configured in Hawtio console. By sending a specially-crafted request, a remote
attacker could exploit this vulnerability to obtain an authenticated user''s
SessionID.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/132634 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2015-5182
DESCRIPTION: Red Hat JBoss A-MQ is vulnerable to cross-site request forgery,
caused by improper validation of user-supplied input by the jolokia API. By
persuading an authenticated user to visit a malicious Web site, a remote
attacker could send a malformed HTTP request to perform unauthorized actions.
An attacker could exploit this vulnerability to perform cross-site scripting
attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/132633 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-0782
DESCRIPTION: Apache ActiveMQ is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by the web based administration
console. A remote attacker could exploit this vulnerability using a
specially-crafted URL to execute script in a victim''s Web browser within the
security context of the hosting Web site, once the URL is clicked. An attacker
could use this vulnerability to steal the victim''s cookie-based
authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/111420 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2016-0734
DESCRIPTION: Apache ActiveMQ could allow a remote attacker to hijack the
clicking action of the victim, caused by the failure to set the
X-Frame-Options header in HTTP responses by the Administrative Web console. By
persuading a victim to visit a malicious Web site, a remote attacker could
exploit this vulnerability to hijack the victim''s click actions.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/111421 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-3088
DESCRIPTION: Apache ActiveMQ could allow a remote attacker to execute
arbitrary code on the system, caused by an error in the Fileserver web
application. By sending a specially crafted HTTP PUT request and an HTTP MOVE
request, an attacker could exploit this vulnerability to create an arbitrary
file and execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/113414 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2016-6810
DESCRIPTION: Apache ActiveMQ is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input. A remote attacker could exploit
this vulnerability in a specially-crafted URL to execute script in a victim''s
Web browser within the security context of the hosting Web site, once the URL
is clicked. An attacker could use this vulnerability to steal the victim''s
cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/119699 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2016-0782
DESCRIPTION: Apache ActiveMQ is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by the web based administration
console. A remote attacker could exploit this vulnerability using a
specially-crafted URL to execute script in a victim''s Web browser within the
security context of the hosting Web site, once the URL is clicked. An attacker
could use this vulnerability to steal the victim''s cookie-based
authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/111420 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2016-0734
DESCRIPTION: Apache ActiveMQ could allow a remote attacker to hijack the
clicking action of the victim, caused by the failure to set the
X-Frame-Options header in HTTP responses by the Administrative Web console. By
persuading a victim to visit a malicious Web site, a remote attacker could
exploit this vulnerability to hijack the victim''s click actions.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/111421 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-3088
DESCRIPTION: Apache ActiveMQ could allow a remote attacker to execute
arbitrary code on the system, caused by an error in the Fileserver web
application. By sending a specially crafted HTTP PUT request and an HTTP MOVE
request, an attacker could exploit this vulnerability to create an arbitrary
file and execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/113414 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2016-6810
DESCRIPTION: Apache ActiveMQ is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input. A remote attacker could exploit
this vulnerability in a specially-crafted URL to execute script in a victim''s
Web browser within the security context of the hosting Web site, once the URL
is clicked. An attacker could use this vulnerability to steal the victim''s
cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/119699 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2016-9739
DESCRIPTION: IBM Security Identity Manager Virtual Appliance stores user
credentials in plain in clear text which can be read by a local user.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/119789 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2016-0357
DESCRIPTION: IBM Security Identity Manager Virtual Appliance could allow a
remote attacker to hijack the clicking action of the victim. By persuading a
victim to visit a malicious Web site, a remote attacker could exploit this
vulnerability to hijack the victim''s click actions and possibly launch
further attacks against the victim.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/111896 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-0340
DESCRIPTION: IBM Security Identity Manager Virtual Appliance could allow a
local user to take over a previously logged in user due to session expiration
not being enforced.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/111780 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2016-0339
DESCRIPTION: IBM Security Identity Manager Virtual Appliance could allow an
attacker with traffic records between a victim and the ISIM to spoof another
user due to invalid session identifiers after the victim has logged out.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/111749 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2016-0338
DESCRIPTION: IBM Security Identity Manager Virtual Appliance could allow a
local user to obtain sensitive information including passwords in cleartext by
examining configuration files and/or running processes.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/111748 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2016-0330
DESCRIPTION: IBM Security Identity Manager Virtual Appliance uses a weak
password algorithm which allows users to create insecure passwords. An
attacker could exploit this vulnerability to gain access to the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/111693 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-3092
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an
error in the Apache Commons FileUpload component. By sending file upload
requests, an attacker could exploit this vulnerability to cause the server to
become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-1000031
DESCRIPTION: Apache Commons FileUpload, as used in Novell NetIQ Sentinel and
other products, could allow a remote attacker to execute arbitrary code on the
system, caused by deserialization of untrusted data in DiskFileItem class of
the FileUpload library. A remote attacker could exploit this vulnerability to
execute arbitrary code under the context of the current process.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/117957 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2014-0050
DESCRIPTION: Apache Commons FileUpload, as used in Apache Tomcat, Solr, and
other products is vulnerable to a denial of service, caused by the improper
handling of Content-Type HTTP header for multipart requests by
MultipartStream.java. An attacker could exploit this vulnerability using a
specially crafted Content-Type header to cause the application to enter into
an infinite loop.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/90987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-0248
DESCRIPTION: Apache Commons FileUpload could allow a local attacker to launch
a symlink attack. Temporary files are created insecurely. A local attacker
could exploit this vulnerability by creating a symbolic link from a temporary
file to various files on the system, which could allow the attacker to
overwrite arbitrary files on the system with elevated privileges.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/82618 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P)
CVEID: CVE-2018-7489
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by a deserialization flaw in the
readValue method of the ObjectMapper. By sending specially crafted JSON input,
an attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/139549 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-5968
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by deserialization flaws. By
using two different gadgets that bypass a blacklist, an attacker could exploit
this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/138088 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2017-7525
DESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary
code on the system, caused by a deserialization flaw within the Jackson JSON
library in the readValue method of the ObjectMapper. By sending a
specially-crafted request, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/134639 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-17485
DESCRIPTION: Jackson-databind could allow a remote attacker to execute
arbitrary code on the system, caused by a flaw in the default-typing feature.
An attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/137340 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-15095
DESCRIPTION: Jackson Library could allow a remote attacker to execute
arbitrary code on the system, caused by a deserialization flaw in the
readValue() method of the ObjectMapper. By sending specially crafted data, an
attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/135123 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2014-0114
DESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary
code on the system, caused by the failure to restrict the setting of Class
Loader attributes. An attacker could exploit this vulnerability using the
class parameter of an ActionForm object to manipulate the ClassLoader and
execute arbitrary code on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/92889 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2018-1000199
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
ptrace() error handling flaw. By invoking the modify_user_hw_breakpoint()
function, a local attacker could exploit this vulnerability to cause the
kernel to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/142654 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-8897
DESCRIPTION: Multiple operating systems could allow a local authenticated
attacker to gain elevated privileges on the system, caused by developer
interpretation of hardware debug exception documentation for the MOV to SS and
POP SS instructions. An attacker could exploit this vulnerability using
operating system APIs to obtain sensitive memory information or control
low-level operating system functions and other unexpected behavior.
CVSS Base Score: 7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/142242 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-1091
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
missing processor feature check in the flush_tmregs_to_thread function. A
local attacker could exploit this vulnerability to cause the guest kernel to
crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/140892 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-1087
DESCRIPTION: Linux Kernel could allow a local attacker to gain elevated
privileges on the system, caused by the improper handling of exceptions
delivered after a stack switch operation using the MOV to SS and POP SS
instructions by the KVM hypervisor. An attacker could exploit this
vulnerability to gain elevated privileges or cause the guest to crash.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/142976 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-1068
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain
elevated privileges on the system, caused by an error in the implementation of
32 bit syscall interface. An attacker could exploit this vulnerability to gain
root privileges on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/140403 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2017-16939
DESCRIPTION: Linux Kernel could allow a remote attacker to gain elevated
privileges on the system, caused by an use-after-free in the Netlink socket
subsystem XFRM. By sending a specially-crafted request, an attacker could
exploit this vulnerability to gain privileges.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/135317 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-10915
DESCRIPTION: PostgreSQL could allow a remote attacker to bypass security
restrictions, caused by an issue with improperly resting internal state in
between connections in the libpq library. By sending a specially-crafted
request, an attacker could exploit this vulnerability to bypass client-side
connection security features.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/148225 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2018-5740
DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by a defect
in the deny-answer-aliases feature. By triggering this defect, a remote
attacker could exploit this vulnerability to cause an INSIST assertion failure
in name.c.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/148131 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-3693
DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a
local authenticated attacker to obtain sensitive information, caused by a
bounds check bypass in the CPU speculative branch instruction execution
feature. By conducting targeted cache side-channel attacks, an attacker could
exploit this vulnerability to cross the syscall boundary and read data from
the CPU virtual memory.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/146191 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2018-3646
DESCRIPTION: Multiple Intel CPU''s could allow a local attacker to obtain
sensitive information, caused by a flaw in the CPU speculative branch
instruction execution feature. By conducting targeted cache side-channel
attacks and via a terminal page fault, an attacker with guest OS privilege
could exploit this vulnerability to leak information residing in the L1 data
cache and read data belonging to different security contexts.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/148319 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2018-3620
DESCRIPTION: Multiple Intel CPU''s could allow a local attacker to obtain
sensitive information, caused by a flaw in the CPU speculative branch
instruction execution feature. By conducting targeted cache side-channel
attacks and via a terminal page fault, an attacker could exploit this
vulnerability to leak information residing in the L1 data cache and read data
belonging to different security contexts. Note: This vulnerability is also
known as the "L1 Terminal Fault (L1TF)" or "Foreshadow" attack.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/148318 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2018-1944
DESCRIPTION: IBM Security Identity Governance Virtual Appliance contains
hard-coded credentials, such as a password or cryptographic key, which it uses
for its own inbound authentication, outbound communication to external
components, or encryption of internal data.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/153386 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2018-1945
DESCRIPTION: IBM Security Identity Governance Virtual Appliance could allow a
remote attacker to hijack the clicking action of the victim. By persuading a
victim to visit a malicious Web site, a remote attacker could exploit this
vulnerability to hijack the victim's click actions and possibly launch further
attacks against the victim.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/153387 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2017-7957
DESCRIPTION: XStream is vulnerable to a denial of service, caused by the
improper handling of attempts to create an instance of the primitive type
''void'' during unmarshalling. A remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/125800 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-3674
DESCRIPTION: XStream could allow a remote attacker to obtain sensitive
information, caused by an error when processing XML external entities. By
sending specially-crafted XML data, an attacker could exploit this
vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/111806 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2013-7285
DESCRIPTION: XStream could allow a remote attacker to execute arbitrary code
on the system, caused by an error in the XMLGenerator API. An attacker could
exploit this vulnerability to execute arbitrary code on the system or cause
the application to crash.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/90229 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVEID: CVE-2018-1946
DESCRIPTION: IBM Security Identity Governance Virtual Appliance supports
interaction between multiple actors and allows those actors to negotiate which
algorithm should be used as a protection mechanism such as encryption or
authentication, but it does not select the strongest algorithm that is
available to both parties.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/153388 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2018-1947
DESCRIPTION: IBM Security Identity Governance Virtual Appliance is vulnerable
to cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/153427 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2018-1948
DESCRIPTION: IBM Security Identity Governance Virtual Appliance does not set
the secure attribute on authorization tokens or session cookies. Attackers may
be able to get the cookie values by sending a http:// link to a user or by
planting this link in a site the user goes to. The cookie will be sent to the
insecure link and the attacker can then obtain the cookie value by snooping
the traffic.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/153428 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-1949
DESCRIPTION: IBM Security Identity Governance Virtual Appliance discloses
sensitive information to unauthorized users. The information can be used to
mount further attacks on the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/153429 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-1950
DESCRIPTION: IBM Security Identity Governance Virtual Appliance generates an
error message that includes sensitive information about its environment,
users, or associated data which could be used in further attacks against the
system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/153430 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM Security Identity Governance and Intelligence (IGI) 5.2, 5.2.1, 5.2.2,
5.2.2.1, 5.2.3, 5.2.3.1, 5.2.3.2, 5.2.4, 5.2.4.1
Remediation/Fixes
+-------------------------+------------------------+--------------------------+
|Product Name |VRMF |First Fix |
+-------------------------+------------------------+--------------------------+
|IGI |5.2 |5.2.5.0-ISS-ISIG-VA-FP0000|
+-------------------------+------------------------+--------------------------+
|IGI |5.2.1 |5.2.5.0-ISS-ISIG-VA-FP0000|
+-------------------------+------------------------+--------------------------+
|IGI |5.2.2 |5.2.5.0-ISS-ISIG-VA-FP0000|
+-------------------------+------------------------+--------------------------+
|IGI |5.2.2.1 |5.2.5.0-ISS-ISIG-VA-FP0000|
+-------------------------+------------------------+--------------------------+
|IGI |5.2.3 |5.2.5.0-ISS-ISIG-VA-FP0000|
+-------------------------+------------------------+--------------------------+
|IGI |5.2.3.1 |5.2.5.0-ISS-ISIG-VA-FP0000|
+-------------------------+------------------------+--------------------------+
|IGI |5.2.3.2 |5.2.5.0-ISS-ISIG-VA-FP0000|
+-------------------------+------------------------+--------------------------+
|IGI |5.2.4 |5.2.5.0-ISS-ISIG-VA-FP0000|
+-------------------------+------------------------+--------------------------+
|IGI |5.2.4.1 |5.2.5.0-ISS-ISIG-VA-FP0000|
+-------------------------+------------------------+--------------------------+
Workarounds and Mitigations
None
Acknowledgement
IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXG45HmaOgq3Tt24GAQgRqRAAlQWtQQ8kTCU+9v7lOp0TTjBr1MOYmD/4
hHZSTofMbq4rZSk9nGPiZt4cg3QuWaNfjhSOyhO3vzlAry6ulH8qIiSCixokpVH8
6DCFvvz0VgJluSjs8p3glUazJQsJtl3PBHbxraaXKBirozGrYSid4Q1X6VIKheVh
yZ3jl6r6bT0seH5CQ+IBurDInHqrvilkuOcBS+Q6excIVoJLcUJNWy2d0C33VaEa
qbxxrsO3q0xCkseAqnh+Y8rFciqpL+KpCWRE3uLJA3IN9QMtdQbOlB+jCy6nDoZa
X2GV6TP4GyU1M9IS+dTYgPHqr7ibco4tfoauGYbQyEPiovblFK09d/sDtL4N52Rf
d/xx8AGFO8rBJdlApe8ycs7gAYKVkRpNcR6WLDMgUIwEVSHmepEO7MJ5WuDoPXug
GAQBpQpng0CKHd3w269wm+kBk5JktaZ2BWLdvWK7ixzdshswq8GVWNVjo+IjsK7U
26iyG/Nd48EZHHsHKGsqIVM1X7y3rLPF/hmcIjX49g1bwLQgBBV4eShPvfBcF0LC
Q1I+m5LQSWM4l7cDaLj0HvpG3zOuwFEq/GcCksbOLhNMjD0C3G3BcjZmsUMm/nIf
BJXswJ6IRdS06q23DGgGbHlgxyspnpfUVOX5A/HChNBW4DikZtxW5BCC5h4O/3Aj
iS2EZ0158A8=
=7hoY
-----END PGP SIGNATURE-----